AOL Server provides an API to develop external database driver
proxy daemons. Those daemons are linked to a library (libnspd.a).

The Laboratory intexxia found a format string and a buffer overflow
vulnerability in the 'Ns_PdLog' function of the library. Successful
exploitation of the bug could allow an attacker to execute code and get
access on the system.

As a result, all the External Driver Proxy Daemons using the 'Ns_PdLog'
function with the 'Error' or 'Notice' parameter are potentially
vulnerable.

This vulnerability has been fixed in the current version in CVS
branch nsd_v3_r3_p0 (post-AOLserver 3.4.2) and can be used for any
affected version. The patch used was created by intexxia and can be
found in attachment. More information can be found at the following
URL :